S4 E05: Cloud Security and Compliance Best Practices

Audio version

Cloud Security and Compliance Best Practices

Transcript

Jordan Eisner  
All right, here we are. Another episode of Compliance Pointers. Welcome back to everybody and welcome back, especially to you, Alec Harrell. How are you doing, man?

Alec Harrell  
Doing good, second time on.

Jordan Eisner  
Second time. OK, Yep. Second time in four years of employment, as you just shared with me before this coming up on your four-year anniversary. But I don’t think we’ve been doing the podcast for four years, maybe three though, so we’re going to need to keep.

Alec Harrell  
That is correct.

Jordan Eisner  
Get that rate of guest appearances on the podcast a little higher than, you know, one every two years.

Alec Harrell  
Sounds good with me.

Jordan Eisner  
Yeah, yeah. Mainly because, like myself, you hail from Middle Georgia, Macon, and I think the world could use more of that, don’t you think?

Alec Harrell  
I do. Good place to be from.

Jordan Eisner  
I mean, let’s see. Who do we share that in common with? Little Richard Otis Redding.

Alec Harrell  
Allman Brothers.

Jordan Eisner  
Allman Brothers. Yes, there you go. That’s about it.

Alec Harrell 
As far as I know, yes.

Jordan Eisner  
Kareem Jackson, who played for the Texans and the Broncos, is a Pro Bowler.

Alec Harrell  
OK.

Jordan Eisner  
Yeah, yeah, I played AAU basketball with Karim Jackson. He went by Coco back then. Probably still does, but yeah, he played at West Side.

Alec Harrell  
OK, good basketball school.

Jordan Eisner  
Yeah. He was a good basketball player, but he’s better at football, obviously. That’s why he played in the NFL. I wonder if he would Remember Me. Probably not.

Alec Harrell  
He’s probably listening, I think so.

Jordan Eisner  
Oh, that’s guaranteed. All right. Well, today we’ve got Alec on because he’s a Security Consultant on our cybersecurity team here. In fact, Alec wore a few different hats at CompliancePoint. He came up under our healthcare group initially working on HITRUST.
And HIPAA security initiatives and then was poached by our cyber group, started helping support Virtual CISO engagements and other type of cybersecurity assessments. You started in healthcare because you had a past background in healthcare and have dabbled is probably not the right word. It’s much more than that in cloud security. So we wanted to talk today about cloud security, how a lack thereof can compromise security initiatives, obviously your security posture, but also compliance initiatives around security and privacy.
And so who better to speak to that than somebody that more than dabbles in cloud security, has worked in frameworks such as high trust or around compliance regulations like HIPAA and is actively guiding organizations through cybersecurity, maturity and posture in that way. So we’ll lean on you for that, and that expertise here and I think we.
I just got a couple quick questions. This is meant to be a quick podcast today to just talk about cloud security. I think there’s many depths we could go into, but just a high-level overview I would say of common misconfigurations to start and then how can that jeopardize posture and compliance?
It’s alignment and forward. So yeah, Alec, anything you want to add on that or do you want to just dive straight into the questions?

Alec Harrell  
Let’s dive in.

Jordan Eisner  
OK, so the first one, as I alluded to, is what are the most common cloud security misconfigurations that you see? And maybe we’ll add a why on top of that.

Alec Harrell 
All right, I would say to start with would be publicly accessible storage and really inadvertent publicly accessible storage. This is when we store data in the cloud, but for whatever reason it becomes public inadvertently and this could be.
Because DevOps is prioritizing speed over security. Or this could be some automations that we didn’t know accidentally make something public. So that would be the first one.

Jordan Eisner  
OK. All right. It’s number two and three and four. No, I’m just kidding. How many you got there?

Alec Harrell  
I got three I want to talk about today. The next one would be insufficient logging and monitoring. Lots of organizations have ways to monitor activity in the cloud, log events and things like that, but they’re underutilized to either because.

Jordan Eisner  
OK, OK.

Alec Harrell  
We don’t have the resources to triage those events or hey, we bought something, we’re an enterprise organization, we bought it, we secured it and then we never configured it properly. So you see that a lot. And then lastly, I would say would be authentication weaknesses. So these are going to be wide-ranging, but it could be as simple as, hey, our password complexity requirements are not stringent enough, or we don’t use MFA everywhere that it’s supported, or we have MFA or we have applications that don’t support MFA, and that still does happen here in 2026.
Or it could be something more technical than that. Maybe we don’t do session management very well and so we authenticate at the beginning of a session, but the time to live doesn’t expire after somebody logs off or some technical vulnerability within the authentication chain. So those would be the top three that I see here in consulting initiatives, really the biggest one being publicly accessible storage.

Jordan Eisner  
And why? Maybe you said it, but just reiterating the event that you did, why do you think publicly accessible storage is the number one issue and such a common issue?

Alec Harrell  
Well, because there are many ways that it can come about. It can be human error, miscellaneous, right? And we see that with the Verizon data breach report. Every year, misconfigurations and miscellaneous issues are within the top two or three.
So again, it could be an engineer that just accidentally made something public or maybe made it public during testing, but never went back and made something private. Or it could be technical automation that, you know, nowadays there’s infrastructure as code and we can automate a lot of our cloud deployments.
And it gets lost in some of these templates what type of changes maybe we’re doing. And so again, something becomes public, it’s not supposed to be public.

Jordan Eisner  
I see. So one kind of dips into two a little bit then because two, I know you said specifically around logging, but you were talking, you also talked more fundamentally about certain capabilities within systems or tools or applications that these businesses are using, but they’re not taking advantage of those or they’re or they’re not configured correctly. And so it seems like that it’s also a little bit of the issue with the public facing or access to public or sorry, access to data from a public standpoint where it shouldn’t be.

Alec Harrell  
Yeah, a lot of this has to do with access controls, right? It’s data and access to systems and services that we maybe think we have control over and we have an idea of who needs access. But the reality is that we don’t have control over that. So yeah, a lot of these, all three of them I would say, have some tenant in access control and proper access controls.

Jordan Eisner  
So with the authentication and then access controls so.
You know, I think it’s common sense. The more sensitive the you know, the data that you can access within an organization are more confidential, you know, the more authentications, maybe not more, but the more scrutiny that there should be authentication in place, multi-factor authentication around access to that sort of data logging and credentials. What do you do in instances where you know it’s not an access control issue, but it’s a technical issue with the application or that’s being used and it doesn’t offer multi-factor authentication? Do you? What do you tell businesses? Do you accept that risk?
You know, is there something you can do technically where you can only access it through first doing multi-factor authentication and something else and then get to it? How’s that?

Alec Harrell  
Yeah, I would say first off if we if we can’t support multi-factor through our own internally implemented application or developed application, then trying to use a third party identity provider, something like an Okta or being able to tie to Active Directory.
To give us that second factor, even if the way that we’ve developed the application can’t support multifactor within the application itself, that would be one way to go. But you know these authentication weaknesses that I’m talking about.
A lot of them have to do with the way that we design authentication and so another example might be yes, we have multifactor, we have a username and password and then we have a token right or something that is a second factor on our device, but let’s say our password recovery procedures are not very good and so we essentially ask people where they’re born and that’s a way that you can recover without having that second factor.
You and I would know that we were born in Middle Georgia, so we would be able to get into the recovery procedure. And even though we’ve implemented MFA, you know now we have a weakness in the chain of authentication.

Jordan Eisner  
Yeah.

Alec Harrell  
Oh no.

Jordan Eisner  
I was born in Arkansas, of all places, Little Rock, AR, and then and then we off to Saint Louis for.

Alec Harrell  
OK.

Jordan Eisner  
I guess several years. We didn’t come to Middle Georgia until 96, so I don’t know, but you know, finished elementary school there, middle school, high school. That should qualify as where I’m from, right?

Alec Harrell  
I think so, right. He would have been what, seven or eight at the time. So yeah, I would, I would think so. I would think so.

Jordan Eisner  
Yep, Yep, exactly.
Yeah, yeah, there you go. The roots.

Alec Harrell 
Yes, very much so.

Jordan Eisner  
I mean, it’s certainly not Arkansas. I can’t even. I don’t think I’ve been to Arkansas since I was, you know, a baby.

Alec Harrell  
I would not have guessed that. So if I was trying to hack into your password recovery, I would not have guessed Arkansas or Little Rock.

Jordan Eisner  
Yeah, Little Rock. OK. So you dipped into a little bit what we would advise around some of those configurations. Any other color you want to add on that around those three top areas and what we recommend companies do first and foremost around those or is it maybe not that simple?

Alec Harrell  
It’s not that simple, but I really think we should focus on the compliance implications of these, right?

Jordan Eisner  
Yes. Good point. Keep me on track. That’s your job, right?

Alec Harrell  
Because you’re the host. But you know, a lot of these can result in a data breach, whether we’ve got, you know, ePHI that is now publicly accessible and so there’s a HIPAA violation, you know, we’re going against making sure that.
Workforce members have appropriate access to ePHI. Now that’s public, right? So that’s a reportable breach. There’s going to be an investigation, potential fines, brand reputational damage, right? Same thing for organizations that have to comply with PCI and cardholder data and.
Keeping that specific type of data from being publicly accessible. Requirement 7 and a little bit of requirement 8 within PCI DSS focus on access control, and so there are compliance implications from a regulatory standpoint if you have that type of regulated data, all right.
But there are also implications on attestations, accreditations, and assurances that you have, and maybe contractual obligations. Let’s say you’re contractually obligated to maintain a high trust certification while making some of these.
Cloud misconfigurations happen or once they happen you can potentially fail an audit, and now you’re within breach of contract. So there’s wide-ranging, I would say, implications based on the type of data. Are you in a regulated industry or not?

And then what type of contractual obligations and compliance certifications do you have?

Jordan Eisner  
Yeah, helpful. So what can businesses do then to ensure that they are using cloud services securely?

Alec Harrell  
The first and foremost thing, and it’s not exactly cutting edge, but you got to have a set of information security policies. You have to inform your workforce what management intent for information security is and what are the requirements around acceptable use of assets.
Network security, access control, third party risk management, all these types of things. Without policies, we can’t hold the workforce accountable. We can’t, you know, comply with some of these compliance regulations. And really the second part of that is making sure that your policies.
Aligned to the framework or regulation that affects your organization. So you know if you’re an ISO shop you have, you need to have policies that reflect the ISO controls, whether it be 27001 or whatever. But you need to make sure that those controls are present in your policies and the workforce knows how they apply to certain topics, again, acceptable use, network security, things of that nature. And then I would say understanding the shared responsibility model or matrix for the cloud service provider.
This often gets lost because we think, oh, well, that’s a WS problem or that’s Microsoft’s problem. But generally speaking, a WS, Microsoft, Google Cloud, they’re going to be responsible for the security of the cloud and you’re going to be responsible for security.
In the cloud, what data do you put in the cloud? Who do you give access to certain types of services and data? So understanding that and how it affects the services within the cloud provider that you use is very big. Again, not cutting edge, but a lot of organizations fall flat in this area.

Jordan Eisner  
Yeah, I was watching a CISO I know is on a podcast and I just saw clipped on LinkedIn and he was talking about how he’s built a security program from scratch and he’s inherited one and you know, improved it. And he said building from scratch was easier. But what he really learned from it was you can’t, you can’t do it fast. And what he meant by that was you have to ensure alignment with the business and business objectives and awareness and training and and and basically a cohesive understanding like why we’re doing this. So you get the buy-in around the controls and the system and the setup and and you ensure right configuration things are right in the line with the goal.
Otherwise you don’t get the adoption you need, you don’t get the control owners supporting the initiative and and that can damage. So I think that’s the fundamental thing there that you kind of covered and then gave more specifics.

Alec Harrell 
Yeah, this must have been a pretty smart CISO because yeah, if you don’t have adoption, if you don’t publish your requirements, if you don’t have buy-in, it’s not going to be done. It’s going to be met with resistance. And right, security is designed to help the business function, reduce risk while helping the business function, it’s no different than, you know, sales or HR. If these types of departments are adversarial in nature, then you’re not going to get adoption, you’re not going to get buy in, and ultimately the business is going to suffer because of that.

Jordan Eisner  
There you go. I think it’s a good part to end on. So well put, Alec. Thanks for joining us again. We’ll get you on once more sometime, you know, before two years from now.

Alec Harrell  
OK, sounds good to me.

Jordan Eisner  
All right, man, stay safe out there in Texas. Glad that the ice is cleared up. And for all the listeners, thank you again for tuning in. You want more information like this, make sure you subscribe to Compliance Pointers sponsored by CompliancePoint and if you have questions about what we covered today or anything in the information security, privacy or compliance realm, please don’t hesitate to reach out. You can find us at compliancepoint.com or you can e-mail us directly at connect@compliancepoint.com till next time. Thanks everybody.